Exploiting the User PII Held in Everyone&#039;s Web Browser

Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-parties to extract it.

Ryan Benson, formerly a forensic analyst with both Mandiant and Stroz Friedberg and now senior threat researcher at San Mateo, CA-based Exabeam, decided to examine just how much data is available, and how readily it can be harvested.

Benson used a modified version of OpenWPM (a web privacy measurement framework) and Firefox to visit the Alexa Top 1000 websites, navigating to three links on each site to simulate normal user browsing. The purpose here was to look for evidence of device identification and geolocation — and Benson found evidence that 56 websites recorded geolocation details, and 56 websites recorded the user’s IP address.

The second phase of the research involved interaction with websites. “In order to do this,” writes Benson in a blog account of the research, “we needed to create accounts on these sites, log in, perform a relevant action (e.g., send an email on a webmail server, view a document on a cloud storage platform, etc.), and see what traces could be found.”

The services chosen were typical of normal Internet usage — Google, Youtube, Facebook, Reddit, Amazon, Twitter, Live and so on — and did not seek to reflect any more exotic use of the Web. The results here become more interesting, because traces of the interactions were left within the browser. These include the browsing history (where and when different sites are visited), email addresses, search queries, and files viewed and downloaded.

This provides a rich source for both user identification and profiling that could be leveraged for targeted spear-phishing for more secure and confidential company accounts.

The picture gets worse with the details held by the browser for automatic form completion, and the passwords held in the browser’s internal password manager. Both of these services offer huge productivity gains for the user; but huge PII value for the attacker.

The password manager stores passwords in encrypted form; but they are automatically decrypted for use, and can be easily accessed by software — such as the free NirSoft tool that dumps saved passwords — and various malwares. “The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games,” writes Benson, “reportedly took advantage of user credentials saved in the browser.”

The available data, unless direct action is taken to exclude it from the browser, can include passwords (including email passwords), location history, user interests, employer and company position, and device details.

All of this data is easily available to any attacker that has access — physical or virtual — to any desktop, laptop or mobile device that uses a browser. Anti-malware controls cannot prevent all malware, while malware detection systems often look for signs of large scale data exfiltration. It is easy to picture stealthy malware getting through defenses and lying almost totally dormant, just extracting small amounts of data from the user’s browser.

A physical attack, using the evil maid scenario, is even simpler. “If a machine is unlocked,” warns Benson, “extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialized software or click of a web link to insert malware.”

Benson describes the data held by the browser as the user’s ‘web dossier,’ and describes ways in which it could be exploited; often by inferring extensions to the data discovered. “Criminals can learn who in a company has access to the financial or payroll application,” he warns, “and compile a list of usernames to use to break in.” Details surmised from the browsing history can help craft compelling phishing emails targeted at senior personnel, or designed to persuade users to reset company account passwords which can then be harvested.

The best way to prevent web dossier details being harvested by attackers is to exclude them from the browser. Methods could include increased use of the browser’s incognito mode, which excludes session details from being saved and potentially exploited. The internal password manager should be abandoned and replaced by third-party separate managers.

In reality, even locking down the browser and using incognito browsing, will not prevent all access to personal data — much of it will still be available to ISPs. In some countries, such as the UK, this data can be accessed by a range of law enforcement and government offices. In other countries, including the U.S., third parties can buy this data from the ISPs.

The solution here depends upon both personal and company risk appetites. “If this is a concern,” Benson told SecurityWeek, “the solution is to use a VPN. Not only will the ISP not know where you are going, the website visited won’t even know what country you come from.”

Exabeam raised $10 million in a Series A funding round led by Norwest Venture Partners, with participation from Aspect Ventures and angel investor Shlomo Kramer, in June 2014. This was followed by a further $25 million Series B in 2015, and $30 million Series C in 2017.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.